The U.S. Securities and Exchange Commission (SEC) has launched a stunning salvo across the bows of public companies with its announcement of civil monetary penalties and a cease-and-desist order against First American Financial Corporation (FAFC) for deficient disclosure controls and procedures related to cybersecurity risks.1 Combined with the New York State Department of Financial Services' (NYSDFS) first-ever charges for violating the NYSDFS' Cybersecurity Regulations,2 FAFC has been battling regulators on multiple fronts for the same cybersecurity risk management failure. In addition to the regulatory front, the NYSDFS action formed the basis of a shareholders' derivative suit against FAFC and its board of directors,3 as well as a number of purported consumer class-action lawsuits.
The warning bells and the grace periods appear to be over as the SEC and NYSDFS are now using their enforcement powers to ensure that companies implement robust cybersecurity risk management systems.4 With cyberattacks ever present and constantly evolving, it is only a matter of time that a company's cybersecurity risk management efforts and related controls, as well as corporate governance, will be exposed to regulatory scrutiny. To avoid substantial monetary penalties and other sanctions, companies need to develop comprehensive cybersecurity risk management standards and to test and upgrade their effectiveness regularly.
The FAFC Case
FAFC provides title insurance policies on residential and commercial real estate properties as well as closing and escrow services. On May 24, 2019, a cybersecurity journalist notified FAFC's investor relations personnel that its web application for sharing document images related to title and escrow transactions had a cybersecurity vulnerability that exposed sensitive personal information from more than 800 million documents from real estate transactions, including bank account numbers, mortgage and tax records, Social Security numbers, wire transactions receipts and drivers' licenses images. After FAFC shut down external access to this web application, the journalist published an article regarding the vulnerability.5
On May 28, 2019, the first trading day following the publication of the article, FAFC filed a Form 8-K and press release with the SEC regarding the vulnerability. Unbeknownst to the senior executives responsible for the Form 8-K disclosure, FAFC information security personnel had learned about this vulnerability months earlier, failed to remedy the problem and, most importantly in the context of the SEC enforcement action, failed to communicate the issue to senior information security management prior to the journalist's warning. Moreover, between the journalist's warning and the Form 8-K disclosure, FAFC's chief information security officer and chief information officer learned of the information security personnel's prior knowledge of the vulnerability but failed to communicate this fact to FAFC senior executives responsible for the Form 8-K disclosure (including the CEO and CFO).
SEC Enforcement Action: Unknown Cybersecurity Risk Is Basis for Enforcement
On June 15, 2021, the SEC announced that it had settled its enforcement action against FAFC with an agreed to cease-and-desist order and a civil monetary penalty of $487,616. The SEC found that FAFC's deficient disclosure controls and procedures related to cybersecurity risks violated Rule 13a-15(a) under the Securities Exchange Act of 1934, as amended (Exchange Act), which requires issuers registered under Section 12 of the Exchange Act to maintain disclosure controls and procedures to ensure the timely and accurate reporting of information as required by the SEC's rules and forms.
The SEC concluded that FAFC senior executives lacked information necessary to evaluate FAFC's cybersecurity responsiveness and the magnitude of the risk from the web application's vulnerability at the time they approved the Form 8-K. Despite being in the business of providing services related to real estate transactions, the SEC determined that FAFC ". . . did not have any disclosure controls and procedures related to cybersecurity, including incidents involving potential breaches of that data."6 In announcing this settlement, the chief of the SEC Enforcement Division's Cyber Unit warned that "[i]ssuers must ensure that information important to investors is reported up the corporate ladder to those responsible for disclosures."7
The SEC action against FAFC is notable on a number of levels. For one, this enforcement action is the first-ever finding of a violation under Rule 13a-15(a) with respect to disclosure controls and procedures related to cybersecurity risks after nearly a decade of such warnings. In its initial 2011 guidance concerning cybersecurity risks and disclosure obligations regarding cyber incidents, the SEC warned companies to evaluate potential deficiencies in their disclosure controls and procedures with respect to cybersecurity matters.8 In 2018, the SEC updated this guidance, in part, specifically to stress "the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents" in order to ensure that relevant information about cybersecurity risks and incidents is processed and reported up the corporate ladder to enable senior management to make accurate disclosures and related certifications.9 Since the 2018 guidance, the SEC has published additional advisories concerning the development of cybersecurity risk governance standards.10 With the FAFC action, the SEC has moved from guidance to enforcement, raising the stakes where public companies fail to implement robust cybersecurity risk management systems and related disclosure procedures.
On another level, this action continues the SEC's recent trend to deal with disclosure-related matters through rules related to internal control over financial reporting and disclosure controls and procedures.11 By eschewing claims under securities disclosure laws, such as Sections 10 and 18 of the Exchange Act and rules thereunder, the SEC avoids the need to establish whether a disclosure was materially misleading or whether the disclosure failure involved scienter or other culpable behavior or knowledge of the persons making the disclosure. Rather, the SEC simplifies its inquiry to determine whether corporate controls and procedures alerted senior executives of particular facts and information.
Clearly, the SEC is using controls and procedures enforcement to drive cyber disclosure and to compel corporate governance standards similar to the way that executive compensation practices were influenced by the disclosure mandates of the Compensation Disclosure and Analysis section required in proxy statements. Nevertheless, with the pervasiveness and severity of cyberattacks, it may be only a matter of time before a company's cybersecurity risk management systems fall within the regulatory (and plaintiffs' bar) crosshairs.
The SEC is not the only agency using its regulatory powers to compel companies to develop comprehensive cybersecurity risk management systems. NYSDFS is the state government agency responsible for regulating New York financial services industries, including banks, insurance companies and mortgage loan servicers. NYSDFS issued detailed Cybersecurity Regulations, fully effective in March 2019, that set forth minimum, yet comprehensive, cybersecurity risk management systems.12 Under the Cybersecurity Regulations, New York financial services industries must have written policies concerning 14 cybersecurity risk factors,13 and a written incident response plan,14 conduct annual penetration testing,15 file annual certifications16 and more.
On July 22, 2020, the NYSDFS announced cybersecurity charges against FAFC. These charges, which are set for a hearing later this year, carry penalties of up to $1,000 per violation, with each instance of nonpublic information in the 800 million documents exposed constituting a separate violation.17 The charges against FAFC were the NYSDFS first-ever cybersecurity enforcement action; however, within a year, NYSDFS announced three settlements for violations of the Cybersecurity Regulations with penalties ranging from $1.5 million to $3 million.18
To avoid substantial regulatory and civil claims, fines and penalties, public companies should carefully review their cybersecurity risk management systems, as well as their internal controls over financial reporting and disclosure controls and procedures related to cybersecurity risk. These controls, procedures and cyber-risk management policies should be reviewed by multifunctional teams, including personnel from information technology, internal audit, risk management and, particularly for companies operating in highly regulated industries such as financial services or that are otherwise consumer-facing, legal counsel with cyber expertise. Companies should consider enhancing written policies and procedures with respect to the various cybersecurity risk factors, establishing effective reporting structures for communicating cybersecurity vulnerabilities and cyber incidents to senior executives, developing protocols for monitoring and testing, preparing written incident response plans, and assessing various technical vulnerabilities. Moreover, because of the constantly evolving nature of cyberattacks and cybersecurity risks, regular review and testing of cybersecurity governance standards should be considered. Additionally, upon learning of cybersecurity vulnerabilities and/or cyber incidents, public companies need to quickly assess their reporting obligations to investors, the SEC and other regulatory agencies.
1 See SEC press release dated June 15, 2021: SEC Charges Issuer With Cybersecurity Disclosure Controls Failures and the related SEC Order.
2 See NYSDFS press release dated July 22, 2020: Department of Financial Services Announces Cybersecurity Charge Against a Lending Title Insurance Provider for Exposing Millions of Documents With Consumer' Personal Information and the related charges.
3 Hollett v. Gilmore, Case No. 1:20-cv-01620 (D. Del. Nov. 25, 2020); see also "First American hit with Dervatives Suit Over Data Breach," Rachel O'Brien, Law 360, Nov. 30, 2020.
4 Indeed, as this Holland & Knight alert is being published, numerous public companies are receiving inquiries from the SEC investigating the impact of the SolarWinds cyberattack and indicating the SEC's intention to enforce failures to appropriately disclose effects of the attack.
5 See "First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records," Brian Krebs, Krebs On Security, May 24, 2019.
6 SEC Order.
7 SEC press release dated June 15, 2021: SEC Charges Issuer With Cybersecurity Disclosure Controls Failures.
8 See SEC Division of Corporate Finance, CF Disclosure Guidance: Topic No. 2, Oct. 13, 2011.
9 See SEC, Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Feb. 21, 2018.
10 See, e.g., SEC Office of Compliance and Inspection and Examination, Cybersecurity and Resiliency Observations.
11 See, e.g., the SEC's cease-and-desist order and $20 million civil money penalty against Andeavor LLC for a failure to maintain adequate internal controls in connection with entry into a 10b5-1 plan for share repurchases.
12 See Part 500 of Title 23 of the New York Codes, Rules and Regulations (CRR-NY).
13 23 CRR-NY § 500.3.
14 23 CRR-NY § 500.16.
15 23 CRR-NY § 500.5
16 23 CRR-NY § 500.17
17 See NYSDFS press release dated July 22, 2020: Department of Financial Services Announces Cybersecurity Charge Against a Lending Title Insurance Provider for Exposing Millions of Documents With Consumer' Personal Information.
18 See NYSDFS press release dated March 3, 2021, Department of Financial Services Announce Cybersecurity Settlement with Mortgage Lender; NYSDFS press release dated April 14, 2021, DFS Superintendent Lacewell Announces Cybersecurity Settlement with Licensed Insurance Company; NYSDFS press release dated May 13, 2021, DFS Superintendent Lacewell Announce Cybersecurity Settlement with . . . Life Insurance Companies.